俄罗斯黑客利用HeadLace恶意软件和凭据收集攻击欧洲

The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.

俄罗斯GRU支持的威胁行为者APT28被认为是背后发起一系列针对欧洲网络的活动，使用HeadLace恶意软件和收集凭证的网页。

APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with Russia's strategic military intelligence unit, the GRU.

APT28，也被称为BlueDelta，Fancy Bear，Forest Blizzard，FROZENLAKE，Iron Twilight，ITG05，Pawn Storm，Sednit，Sofacy和TA422，是与俄罗斯战略军事情报单位GRU有关的先进持续威胁（APT）组织。

The hacking crew operates with a high level of stealth and sophistication, often demonstrating their adaptability through deep preparedness and custom tooling, and relying on legitimate internet services (LIS) and living off-the-land binaries (LOLBins) to conceal their operations within regular network traffic.

这个黑客团队具有很高的隐秘性和复杂性水平，经常通过深度准备和定制工具展示他们的适应性，并依赖合法的互联网服务（LIS）和Living Off-The-Land Binaries（LOLBins）来隐藏他们的操作在常规网络流量中。

"From April to December 2023, BlueDelta deployed Headlace malware in three distinct phases using geofencing techniques to target networks throughout Europe with a heavy focus on Ukraine," Recorded Future's Insikt Group said.

"从2023年4月到12月，BlueDelta使用地理围栏技术在三个不同阶段部署了Headlace恶意软件，重点针对乌克兰以及整个欧洲的网络，" Recorded Future的Insikt Group表示。

"BlueDelta's espionage activities reflect a broader strategy aimed at gathering intelligence on entities with military significance to Russia in the context of its ongoing aggression against Ukraine."

"BlueDelta的间谍活动反映出了一个更广泛的战略，旨在收集对俄罗斯具有军事意义的实体的情报，这是在其对乌克兰的持续侵略背景下的。"

HeadLace, as previously documented by the Computer Emergency Response Team of Ukraine (CERT-UA), Zscaler, Proofpoint, and IBM X-Force, is distributed via spear-phishing emails containing malicious links that, when clicked, initiate a multi-stage infection sequence to drop the malware.

HeadLace，正如乌克兰计算机应急响应团队（CERT-UA），Zscaler，Proofpoint和IBM X-Force之前所记录的那样，是通过包含恶意链接的钓鱼邮件进行分发的，当点击时，会启动一个多阶段感染序列来下载恶意软件。

BlueDelta is said to have employed a seven-stage infrastructure chain during the first phase to deliver a malicious Windows BAT script (i.e., HeadLace) that's capable of downloading and running follow-on shell commands, subject to sandbox and geofencing checks.

据说在第一阶段中，BlueDelta采用了一个七阶段的基础设施链，以传递一个恶意的Windows BAT脚本（即HeadLace），能够下载和运行后续的shell命令，受沙箱和地理围栏检查的约束。

The second phase, which commenced on September 28, 2023, is notable for using GitHub as the starting point of the redirection infrastructure, while the third phase switched to using PHP scripts hosted on InfinityFree beginning October 17, 2023.

第二阶段于2023年9月28日开始，以GitHub作为重定向基础设施的起点，而第三阶段于2023年10月17日开始使用托管在InfinityFree上的PHP脚本。

"The last detected activity in phase three was in December2023," the company said. "Since then, BlueDelta likely ceased using InfinityFree hosting and favored hosting infrastructure on webhook[.]site and mocky[.]io directly."

"在2023年12月，第三阶段的最后一次检测到的活动，" 该公司表示。"从那时起，BlueDelta可能停止使用InfinityFree托管，而是直接偏爱在webhook[.]site和mocky[.]io上托管基础设施。"

BlueDelta has also been found to undertake credential harvesting operations designed to target services like Yahoo! and UKR[.]net by serving lookalike pages and ultimately trick victims into entering their credentials.

发现BlueDelta还进行了旨在针对Yahoo!和UKR[.]net等服务的凭证收集操作，通过提供类似页面最终欺骗受害者输入他们的凭证。

Another technique involved creating dedicated web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the entered credentials. Earlier this February, a U.S.-led law enforcement operation disrupted a botnet comprising Ubiquiti EdgeRouters that was put to use by APT28 for this purpose.

另一种技术包括在Mocky上创建专用网页，与运行在受感染的Ubiquiti路由器上的Python脚本交互，以外泄输入的凭证。今年2月早些时候，一场由美国牵头的执法行动瓦解了由Ubiquiti EdgeRouters组成的僵尸网络，APT28利用这些EdgeRouters进行此目的。

Targets of the credential harvesting activity included the Ukrainian Ministry of Defence, Ukrainian weapons import and export companies, European railway infrastructure, and a think tank based in Azerbaijan.

凭证收集活动的目标包括乌克兰国防部，乌克兰武器进出口公司，欧洲铁路基础设施以及总部设在阿塞拜疆的智库。

"Successfully infiltrating networks associated with Ukraine's Ministry of Defence and European railway systems could allow BlueDelta to gather intelligence that potentially shapes battlefield tactics and broader military strategies," Recorded Future said.

"成功渗透与乌克兰国防部和欧洲铁路系统相关的网络，可以让BlueDelta收集潜在塑造战场战术和更广泛军事战略的情报，" Recorded Future表示。

"Moreover, BlueDelta's interest in the Azerbaijan Center for Economic and Social Development suggests an agenda to understand and possibly influence regional policies."

"此外，BlueDelta对阿塞拜疆经济和社会发展中心的兴趣表明了一个旨在了解和可能影响区域政策的议程。"

The development comes as another state-sponsored Russian threat group called Turla has been observed leveraging human rights seminar invitations as phishing email decoys to execute a payload similar to the TinyTurla backdoor using the Microsoft Build Engine (MSBuild).

这一发展伴随着另一个国家支持的俄罗斯威胁组织，名为Turla，已经被观察到利用人权研讨会邀请作为钓鱼邮件诱饵来执行类似TinyTurla后门的载荷，使用Microsoft Build Engine（MSBuild）。

参考资料

[1]https://thehackernews.com/2024/05/russian-hackers-target-europe-with.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：俄罗斯黑客利用HeadLace恶意软件和凭据收集攻击欧洲